Busy help desks are the social engineer's playground. They take full advantage of the chaos rampant on help desks...
just trying to keep up with the high volume of calls routinely besieging them. They barely have time to reset passwords, let alone verify the caller's identity.
The three rules for defeating social engineers are verify, verify and verify. Even if you can only contact the user by phone, there are simple ways to separate legitimate employee requests from those of attackers and con men from outside the company or less than scrupulous employees who are up to no good.
First, every help desk staffer should have an employee directory readily available. The directory should have other information about the employee, besides just their phone number and e-mail address. It should also have information about their department, their manager's name, their title and location or cube number, for example. Check if the employee is listed. If not, red flags should go up immediately. Even if listed, ask a few random questions from the information about the employee in the directory. The important thing is to keep the questions random and unpredictable. You should report any slip-ups or obvious irregularities to your information security department's incident response team for follow up. Provide them with whatever additional information the help desk staffer has to track down the offender.
There are two other ways for the help desk to protect themselves after password resets. Send an e-mail to the employee immediately after completing the password reset. If someone other than the employee maliciously changed the password in the employee's name, the real employee will probably call the help desk right after getting the e-mail. The real employee will likely sound concerned or ask questions about the supposed "mix up." Another way is to follow up after the reset with a call to the employee's boss. The supervisor can then verify with the employee in person.
Also, keep a readily available log of all password resets. Educate your help desk staff to check the log and always look out for:
- Suspicious patterns
- Repeated resets by the same individual, or groups either in the same or related departments
- Requests at odd times or from unusual locations
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.